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Outline 

I—--- 

# Background 

# History of the first hardware hacks 

# Summary of security 

# Later hacks 

# Future possibilities 
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More History than News 

t-^- 

#Many have heard about Xbox hardware 
hacks 

#Xbox hardware has changed little since 
its introduction 

■ At 19C3, Andy presented most of the 
significant/latest facts 
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Comparison to Stock PC Hardware 

Xbox Motherboard 


Picture from 

http: //WWW. ocmod shop. com/asusnforce/topboa rd. j pg 
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What's Different 
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# Intelligent system management 
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# Modified system ASICs 
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Armchair Economics 


#What about subscription royalties? 

$50 Xbox Live! Starter kit + 1 yr subs. 

($15) retailer's margin 

($10) operating cost per user (est.) 

($20) depreciation, captitalization 

e.g., investment of US$1 billion 


$5 profit per year offsetting initial hdwe loss 

^ Assuming initial hdwe sales loss of $100, console will 
not make money over its operational lifetime 
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Game Consoles 

















# What's the big deal? 

■ US$31bb market in 2002 (projected)^ 

♦ US$22bb for consoles/hardware alone 

♦ Constant growth throughout 2002 despite 
downturn 

■ Million+ unit/month hardware volumes 

■ Widely deployed, high-profile embedded 
hardware market 

^Reuters, "Video-game sales to top $31 billion", June 24 2002 
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How Much Security? 

t-^- 

# Sufficient deterrent to ensure that: 

■ 0($100) in games, services are purchased 
over console lifetime 

■ On-line gaming experience is enjoyable 

♦ A billion-dollar investment on Microsoft's part 

♦ This may be one of the biggest differentiation 
points for the Xbox 
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Outline 

I—--- 

# Background 

# History of the first hardware hacks 

# Summary of security 

# Later hacks 

# Future possibilities 
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Why Did I Do It? 

t- 

# Curiosity 

^Challenge 

<f>Fun! 
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Hackgeschichte 


#Xbox was released in November 2002 

■ I didn't get mine until late November 

■ Nikki got it as a Christmas gift 

#Tried obvious/easy things 

■ Extract FLASH ROM contents 
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Extrac ting FLASH 

# FLASH is soldered to board 

■ Desolder using "tongs" style iron 

■ Install cheap TSOP socket 

mother options 

■ Use desoldering alloy 

■ More difficult to clean up 
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Cleaning Up 





ROM Analysis 

t- 

#I soon posted the ROM to my website 
so others could help me analyze it 

■ MSFT called within 12 hours to have me 
remove the posting 

■ No threats of lawsuits, though 
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Cipher Listing 
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) % 

256 
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S[ j 
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= temp; 











// decryption routine 
unsigned char cipherText[16384] 
unsigned char plainText[16384]; 
for( index = 0x4000, i = 0, k = 
// xbox version 

; // 
// 
0; 

OxFFFFAOOO in FLASH 
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Theories Fly 

t-^- 

# Maybe data/address lines are rotated or 
scrambled? 

# Secondary crypto processor? 

#Boot code in CPU? 

#Boot code in chipset? 
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Crucial Observation 


friend observed: 

Changing just the boot vector bytes did 
nothing to the Xbox 

But changing bytes at random in the body 
of the ROM crashed the Xbox (generally) 
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Furthe r Experimentation 

# Poking around further around the boot 
vector revealed about a 512-byte 
boundary for immunity to changes 

# Validated the alternate boot code 
location 
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HyperTransport Ri i*: 


# Favorable board 
layout, pin count 

■ Fabricate pitch- 
matched tap board 

#High speed 

■ Use high-end FPGA 
or logic analyzer 


Tx bus 
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t- ^ - 

# Board adapts HyperTransport bus to 
existing hardware 

■ Virtex-E FPGA board developed for my 
thesis 

# Clean-sheet tap board would look 
different 

■ Virtex-II FPGA directly on tap board 

■ Would cost $50-$100 to fabricate 
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Analyz ing the Bus 

# Traces of data collected, synchronized 
to power-on reset 

# Ciphertext sorted from code by 
histogramming and eyeballing 

#Data in traces organized by cache line 

■ Code path was patched together using a 
disassembler and cache line groupings 
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Summary 
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Outline 

I—--- 

# Background 

# History of the first hardware hacks 

# Summary of security 

# Later hacks 

# Future possibilities 
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# Summary of security 
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Xbox Security Review 

t—-- 

#Xbox is a Trusted PC Platform 

■ Comparable in spirit to Palladium™, TCPA 

■ Hardware is trusted, all executables digitally 
signed and verified prior to execution 

# Physical copy protection 

■ 2-Layer DVD-9 format + block scrambling 

■ 2-Layer DVDs are difficult to copy 

# Encrypted network connections 

■ No details available yet, Xbox Live not yet 
launched 

# Minimal perimeter security, tamper evidence 
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run an executable 
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decrypt public-key encrypted 
expected hash provided 
by Microsoft 
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■ AN code and data is verified 

against signed hashes 




before being accepted 








■ Code and hardware 

is free of bugs 









♦ i.e., buffer and segment 

overruns, protocol weaknesses 




■ Hardware is inviolable 
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at a minimum 
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Linear trust mechanism 


















■ Chain of trustable, verified 
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secure boot block 










Secure boot block details 
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■ Very hard to probe or modify 
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Transferring the Trust 


#‘RC4/128 used to encrypt bootloader image 

■ RC4/128 is a stream cipher 

♦ A ciphertext modification will corrupt the remainder of 
the plaintext stream 

■ Simple "magic number" at the end of the 
bootloader image, checked to verify integrity 

#So long as the RC4/128 key is secret, 
attackers are unlikely to generate a valid false 
bootloader image 

■ Secondary bootloader continues to transfer trust 
through verification of digitally signed binaries 
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Backdoors Galore 
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Outline 

I—--- 

# Background 

# History of the first hardware hacks 

# Summary of security 

# Later hacks 

# Future possibilities 
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Jamtable Interpreter 

- 

#What it is 

■ Bytecode interpreter 

■ Orchestrates dependencies and decisions 
required for machine initialization 

#What it can do 

■ Reads and writes to PCI, memory, I/O 
space 

■ Conditional jumps, indirect addressing 
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Jamtable Attacks (visor) 

- 

#Jamtables are unencryptecd ancj 
unverified 

■ Can perform attacks without crypto 

■ Two-phase soft-reset attacks to read out 
plaintext 

♦ Allow machine to power up normally once, 
then soft reset with a new jam table that 
copies code to an insecure location (courtesy 
visor) 
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Jamtable Attacks II (visor) 

- 

#Jamtable weakness + hardware bugs allows 
program counter to be seized 

■ Secure boot block jumps to OxFFFF FFFA when a 
bad ciphertext image is encountered 

■ PC will roll over from OxFFFF FFFF to 0x0000 0000 
without an exception 

■ 0x0000 0000 is in SDRAM memory 

■ Use jamtable to write at 0x0000 0000 a jump 
instruction to an insecure FLASH region, and 
corrupt ciphertext image to sieze the PC 

■ Courtesy visor 
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Implications of Visor Attacks 

t-^- 

#A crypto-free way of bypassing the 
secure boot ROM 

■ Allows for Linux to be installed without risk 
of exposing MSFT proprietary code in the 
plain 

■ More "legal" than key extraction approach 

■ Method of choice 
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Alternate Firmware Devices 


#Also referred to as the "modchip" 

■ Significantly, AFD's come with no code, 
making them much easier/more legal to 
sell and trade 

#Two major approaches 

■ Direct FLASH override 

■ LPC FLASH override 
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Direct FLASH Override 



















































#A ROM chip is soldered, pin for pin, into 
the Xbox that supplants the FLASH chip 
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LPC FLASH Override 












Why Does It Exist? 

t- 

#LPC port seems to be essential to the 
Xbox 

■ Later versions of the Xbox have changed 
available signals to thwart modders, but 
have not done away with the port 

#LPC is a great debug/diagnostic port 

■ Use LPC to program factory-blank ROMs 

■ Use LPC to diagnose production rejects 
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Countermeasures 


# nVidia has a terrible quarter—I feel terrible! 

“What we said about Xbox was that we reached a 
volume discount milestone, further reducing the 
margins. And that we will be taking an inventory 
write off in Q2 related to the amount of Xbox 
MCPs that were made obsolete when MSFT 
transitioned to a new security code (by way of the 
MIT hacker) and excess in nForce chipsets that we 
built in anticipation of higher demand of Athlonbased 
PCs.” 

- Derek Perez, PR Director nVidia 
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The New Security 

t-^- 

#Andy Green extracted the new MCPX 
contents through a back door 
discovered by Jeff Hears 

# Ana lysis revealed that the Xbox's FLASH 
memory was verified using a hash 
function 
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Hash Algorithm 


#>TEA = Tiny 
Encryption 
Algorithm 
■ Fiestel cipher 


■ 32 rounds 


■ 128-bit key 

■ 64-bit datapath 

■ Shift, xor and 
mod-add only 


0x96377505 
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Hash Algorithm 


# Operate cipher in chaining mode for 
hash 


TEA in a cipher appiication 

128-bit key in 


64 bits 
plaintext in 


tttt 
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64 bits 

ciphertext out 


TEA used as a hash function 


64-bit key 
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Known Weaknesses! 
























paper^ in 1996 revealed a related-key ■ 
weakness 

■ Bits 31, 63 and 95, 127 of key can be 
simultaneously inverted and produce the 
same result for any input 

#This is not good for a hash function 

■ Extremely easy to generate such collisions 

^ “Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and 
triple-DES”. John Kelsey, Bruce Schneier, and David Wagner. CRYPTO 1996. 
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A Stroke of Genius 


# Discovered: 

■ A long jump instruction early in the verified 
code 

■ The argument of the jump could be 
manipulated to jump to SDRAM! 

♦ Manipulation yields same hash code so it 
passes the MCPX hash check 

♦ Jam tables are checked only by code executed 
downstream from the hash check, so SDRAM 
can be seeded with instructions a la Visor 
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Franz Lehner 
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RSA with prime numbers 

t- 

#In normal RSA, the modulus "n" is the 
product of 2 prime numbers (p and q) 

■ The number (t>(n) is (p-l)(q-l) 

#RSA works when n is prime too 

■ The number 0(n) is p-1 then 

■ RSA still works 

■ Insecure, but unimportant 
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RSA in the Boot Loader 


#The RSA key used to verify the kernel 
signature in 1.1 is hashed by TEA 

#TEA flaw allows bits 31 and 63 of any 64 bits 
to be simultaneously flipped 

#We can change bit pairs in the RSA key 

■ Change pairs until the key is prime 

■ By the Prime Number Theorem, 1 in 268 2048-bit 
numbers are prime on average 

■ About 2^0 possible ways to flip bit pairs 

♦ Easy to find such a prime number 

#^U^ 2 (tfeiis, we can siginoour own kernel 




Remarkable Timing 

# Total time to break security was about 
three days 

■ Probably not worth the pain and suffering 
applied to nVidia 
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Outline 

I—--- 

# Background 

# History of the first hardware hacks 

# Summary of security 

# Later hacks 

# Future possibilities 
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What MS Could Have Done 


#■ Avoid symmetric ciphers in this scenario 

■ Difficult to guarantee secrecy of key 

■ Cost of ASIC mask sets, lead time make key 
rotation expensive and difficult 

#-Use hashes to verify all code and data 
regions 

■ Complex protocols such as x86/PC initialization are 
difficult to secure 

■ Requires a larger piece of code 
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Bus Override Attack 




Cycles since reset 


00000097 

00000D5C 

OOOOODEO 

00000E5D 

OOOOOEDA 

00000F57 

00000FD4 

00001051 

OOOOIOCE 

0000114B 


Jurrip instruction @ 00001245 
Boot vector 


00022527 

00022528 

00022529 

000226D5 

000226D6 

000226D7 

000226D8 


Data on bus 

I 



FFFFFFFF 

090000FF 

65D0162B 

2D324633 

01010101 

08080808 

01080000 

8A7CFCC8 

13022944 

98490090 

FFFFFFFF 

FFFFFFFF 

EBC68BFF 

1800ip 8FF 

FFFF^ QC2 


04B002EE 

FFFFOOOO 

009BCF00 

FFFFOOOO 

0093CF00 


E 

F 

1 

E 

1 

E 

1 

E 

1 

E 

1 

E 

1 

E 

E 

1 

E 

1 

E 
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OOOOOOFF 

FFFFFFOO 

00F707FF 

09000000 

OOOOOOFF 

65D01600 

0000002B 

2D324600 

00000033 

01010100 

00000001 

08080800 

00000008 

01080000 

8A7CFC00 

000000C8 

13022900 

00000044 

98490000 

00000090 












Bus Override Attack 




Cycles since reset 


Override cycle 
22526 with jump 
opcode to insecure 
code space 


00000097 

00000D5C 

OOOOODEO 

00000E5D 

OOOOOEDA 

00000F57 

00000FD4 

00001051 

OOOOIOCE 

0000114B 

00001245 

000012C2 

000225?r 

00022528 

00022529 

000226D5 

000226D6 

000226D7 

000226D8 


Data on bus 

I 


FFFFFFFF 

090000FF 

65D0162B 

2D324633 

01010101 

08080808 

01080000 

8A7CFCC8 

13022944 

98490090 

FFFFFFFF 

FFFFFFFF 

E9JMPDST 

1800P8 FF 




04B002EE 

FFFFOOOO 

009BCF00 

FFFFOOOO 

0093CF00 


E 

F 

1 

E 

1 

E 

1 

E 

1 

E 

1 

E 

1 

E 

E 

1 

E 

1 

E 
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OOOOOOFF 

FFFFFFOO 

00F707FF 

09000000 

OOOOOOFF 

65D01600 

0000002B 

2D324600 

00000033 

01010100 

00000001 

08080800 

00000008 

01080000 

8A7CFC00 

000000C8 

13022900 

00000044 

98490000 

00000090 












Alternative Solution, Cont'd 

- 

#Use digital signatures to verify the FLASH 
ROM contents 

■ Can be defeated with a snoop & modify memory 

♦ Most effective in a PC using standard memory sockets 

♦ Present trust introspection routines with benign code 
images 

♦ Present malicious memory image at other times 

♦ Also use to snoop and extract plaintexts 

♦ Snoop-RAM can be fairly inexpensive to manufacture 

♦ Inspired by entries about Palladium in Seth Schoen's 
online diary 
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# Questions? 
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